Follow

Q&A: Does Silverline WAF automatically update attack signatures?

 

Question

  • How often does Silverline update their attack signatures?
  • What is the process for updating the attack signatures?

 

Environment

  • Silverline WAF
  • Module/Attack Signatures

 

Answer

Yes, the Silverline WAF automatically updates attack signatures. CVEs are checked every day and signatures are updated based on urgency/criticality accordingly.

Updating the signatures is a multi-stage process:

1) The ASM Product Development Team releases a signature update.

2) Silverline reviews the details of update and makes a determination as to the urgency of installing the update and whether emergency (i.e. immediate) installation is justified.  An emergency installation would be justified if, for example, the update contains protections for a critical CVE that is being actively exploited.

3) Otherwise, a burn-in period of 7-14 days is allowed to elapse, during which the operational impact of the update is reviewed (i.e. outside of Silverline).

4) The signature update manifest is posted in the Silverline Knowledge Base's Release Notes section with proposed deployment time.

  • Typically ~24 hours prior to the signature update deployment time
  • Example of how the notice appears in the Release Notes section:
    • Screen_Shot_2020-05-19_at_8.40.44_AM.png
  • To receive these notifications of signature updates to your email, subscribe to Release Notes.

5) The signature update is performed by Silverline Ops Teams one DC at a time, during which diligent monitoring is performed. 

  • Any observed false positives are proactively tuned by the SOC and the customer notified. 
  • The customer will also be notified and asked for a tuning decision if the signature update introduces a spike of violations that cannot be conclusively determined to be false positives.  
  • Note that recent signature updates have resulted in a very low incidence of introduced false positives.

6) A signature update maybe rolled back if a significant number of false positives are introduced.  This has never been required to-date.

 

Related Content

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request